Hi Everyone,
I have a question regarding looking up a extracted/generated field from splunk against active directory at search time.
The objective is as follows
1. Extract hostname from DHCP log
2. Check if hostname is present as a Computer object in AD
3. If not present, return hostname as a result
Do I have to extract all AD computer account objects and then put them in a CSV file to do a lookup against, or is it possible to compare the extracted hostnames against AD directly at search time using something like inline ldapsearch?
Any help would be greatly appreciated, I hope my search fu did not miss an answer to this kind of question already.
Many thanks
David.
use a subsearch result to populate the search condition from the main search.
<main_search_conditions> [ search <subsearch_on_ldap> | dedup host | table host ]
| <end_of_my_mainsearch_processing>
The subsearch will return something in the format (host=A OR host=B OR host=C ...)
The timerange will be the same for both searches. You can specify manually in the search terms if different ranges are needed.
see http://docs.splunk.com/Documentation/Splunk/6.0/Search/Usesubsearchtocorrelateevents
It certainly is possible to perform a dynamic (scripted) lookup against any external source (such as Active Directory) rather than keeping the file up to date, or using a subsearch.
The subsearch as answered by yannK
does solve your problem, provided you use the ldapsearch
search command that is provided in the Splunk Support for AD app http://apps.splunk.com/app/1151/# It does have some limitations though.
If you did want a lookup, you would either keep the AD CSV file up-to-date, or you would build a dynamic lookup. Unfortunately the Splunk AD app doesn't include such a program. You can find out how to structure such a lookup program here: http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Addfieldsfromexternaldatasources#Set_up_a_...
Many thanks, I messed up when marking answers so you should both get the nod for answering my question
use a subsearch result to populate the search condition from the main search.
<main_search_conditions> [ search <subsearch_on_ldap> | dedup host | table host ]
| <end_of_my_mainsearch_processing>
The subsearch will return something in the format (host=A OR host=B OR host=C ...)
The timerange will be the same for both searches. You can specify manually in the search terms if different ranges are needed.
see http://docs.splunk.com/Documentation/Splunk/6.0/Search/Usesubsearchtocorrelateevents
you can use 'ldapfilter' command to query against LDAP in the search.